The Role of People-Centric Security Systems and Defense in Depth
Is it possible that IT administrators are actually doing too much to secure their corporate networks? Given the rate at which the enterprise security landscape changes, it almost seems like a rhetorical question at first. However, there’s growing concern that all of the remote access policies and procedures in place are doing more harm than good. In fact, at the recent Gartner Security and Risk Management Summit, Research Vice President Tom Scholtz went so far as to say that we have “lost the race in our attempt to throw controls at everything.” Could he be right?
A recent ZDNet article makes a strong argument to back Scholtz’s claim. At its simplest, the problem with current controls is that they very rarely speak to individual users in a way that resonates with them. If employees working remotely don’t understand why certain protocols are in place, they probably won’t feel inclined to follow them. But what if companies did a better job explaining the dangers of not adhering to remote access policies? Would that provide the necessary incentive for remote employees? Scholtz certainly thinks so.
According to the article, the key is to have companies adapt a people-centric security (PCS) system. In order for this system to be successful, the entire organization must be security-focused, and the best way to accomplish this is through employee education and awareness. It’s a concept that Scholtz compares to the “shared spaces” idea made famous by Hans Monderman, a famous Dutch road traffic engineer and innovator. Despite how dangerous the idea of vehicles and pedestrians sharing roadways with minimal signage may sound, it actually causes people behind the wheel and on foot to be more attentive to their surroundings, reducing the number of accidents.
All of this being considered, it’s important to note that a PCS system alone is not an adequate defense, mainly because it is designed to improve security from inside the company. Scholtz even acknowledges that every so often, things are bound to go wrong. In these instances, PCS is one important means to an end – a defense in depth strategy.
So, even though we may see companies start to pull the reins on certain security protocol, it’s unlikely that IPsec and SSL VPNs, firewalls, two-factor authentication and other defense mechanisms will fall off of the map. In fact, remote access technologies such as these may even see enhancements, such as elliptical curve cryptography (ECC) in the near future. We’re likely to see these advances come alongside a shift toward VPNs with central management as companies rethink their security strategy, and look for ways that network administrators can react to security breaches on the fly. In addition to central management, integrated security frameworks provide another layer of preventative security by allowing security components to communicate and automate remote access processes. It will certainly be interesting to see how PCS approaches integrate with evolving defense in depth solutions and advanced security frameworks.